>
>
> That security issue is completely independent from XSS, which is where
> client-side scripts are inserted into user generated content which, when
> subsequently output by the server in the page and viewed by other users,
> execute in the browser with the same origin, and thus priviliges, as a
> normal script inserted by the page owner would have.
>
> http://en.wikipedia.org/wiki/Cross-site_scripting
>
> Sandboxing in this context in an additional layer of protection against
> XSS. It's a signal to the browser that it should not permit, for example,
> the execution of scripts, or to allow scripts but resrict their access in
> specific ways (depending on the sandbox attribute's value).
>
Let me ask you something else Lachlan: is there any CMS, such as Wordpress
or Drupal, or any other application in the entire world that wants to let
you store a comment with a script injection into the database?
The srcdoc attribute is attempting to solve a problem that's not a browser's
to solve.
> --
> Lachlan Hunt - Opera Software
>
Shelley
> http://lachy.id.au/
> http://www.opera.com/
>